Main navigation

A bug in signature-checking weakens most anti-malware tools

One of the basic checks which all malware protection should make is whether apps and other code have been correctly signed. Details of a bug revealed in Twitter today by Patrick Wardle, of Securita Security and Objective-See, demonstrate that most anti-malware tools can easily be spoofed into accepting completely fictitious certificates.

The problem lies buried in a macOS Global Function, SecStaticCodeCheckValidity(), which is used by almost all signature-checking tools and apps (including Apple’s command line tools) to validate the signature of a file. Apple’s description of this function reads:This function obtains and verifies the signature on the code specified by the code object. It checks the validity of all sealed components, including resources (if any). It validates the code against a code requirement if one is specified. The call succeeds if all these conditions are satisfactory.

It is possible for a malware author to trick this function into returning a successful result, claiming that there is a valid certificate from Apple, although there is nothing of the kind.

macOS Gatekeeper doesn’t appear to be affected by this, so it should still return reliable results. However, the flawed function is used by most, perhaps all, other anti-malware tools. Malware which exploits this vulnerability could therefore pass this stage of their checks.

Patrick has found a workaround, and has already updated Objective-See’s invaluable signature-checking tool What’s My Sign?, which shouldn’t now succumb to this spoofing. If you rely on any other malware checking tools, such as an anti-virus product, you may want to install the updated What’s My Sign? (version 1.4.1) and perform manual checks until that product has been updated to address this problem.

Anti-virus and security product vendors should already be busy preparing updates to all their apps.

Postscript:

Patrick Wardle points out that this bug was first discovered and reported by Josh Pitts. He also reports that SecStaticCodeCheckValidity()does work if you tell it to perform strict verification, or to verify all the architectures in the file. However, its default flags (which should validate the ‘native’ architecture which will run when you run the code) fail in this case, resulting in this incorrect behaviour.

Related

8Comments

Today, checking with the WhatsYourSign.app I found some signing issues in the following applications: iTunes, GarageBand, Keynote, Numbers, Pages, and I’m not sure about XCode because it stuck.
What exactly is the unknown (status/error: -67054)?
Thanks in advance!

Thank you.
Are you using High Sierra? In Sierra 10.12.6, those apps (apart from Xcode) are all given as being correctly signed here. Xcode doesn’t seem to want to complete here either.
I’ll pass this information on to Patrick Wardle.
Howard.

Patrick is taking a look at this now.
He says that the problem with such strict checking is that some existing items may not pass as clearly, and need less strict checks! Xcode is so large that checking may take a very long time.
Howard.

Thanks for your reply.
No, I don’t use High Sierra because of it’s so many problems. I got back in Sierra 10.12.6.
But what the unknown (status/error: -67054) really means? Where can I read about these codes?
Thanks again for your time.

That is an error code, which apparently means “A sealed resource is missing or invalid.”
These error codes are conveniently defined in Apple’s labyrinthine developer documentation, in most cases. This makes it impossible for the great majority of users to understand or interpret them.
Fortunately, there is a superb website which can check them for you, here.
That’s where I looked that error up!
Howard.

This is not something that you should worry about. This is a problem in macOS support for checking signatures, not in the signatures themselves. Presuming that you obtained these apps from the App Store, there is no reason to suspect that there is anything wrong with them.
If you want to be completely certain, you could delete your copies and download them again from the App Store, but I wouldn’t waste your time and effort doing that, if I were you.
I hope that reassures you,
Howard.